January 2018

January 31, 2018

Law360 (sub. req.) reported on January 29th that the Fifth Circuit has upheld the conviction and sentencing of Anasasio Laoutaris, a former IT engineer for Locke Lord LLP. Laoutaris was found guilty of felony computer intrusion for attacks on the law firm's network in 2011 and ordered to pay $1.7 million in restitution and to serve 9 ½ years in jail.

He appealed after his sentencing in 2016, arguing that evidence at trial was insufficient because he was not proved to be the person who accessed Locke's network and caused the damage. He further argued that the sentence was unfair.

A three-judge panel affirmed the lower court's conviction, saying "Contrary to his assertions, there was ample circumstantial evidence identifying him as the perpetrator of these offenses." Court records show that Laoutaris twice accessed the firm's computer network, and on both occasions took measures that "caused significant damage to the network," including deleting or disabling hundreds of user accounts, desktop and laptop accounts and user e-mail accounts.

Laoutaris was charged in October 2013 with transmitting a malicious code and computer intrusion causing damage to 18 administrator accounts, 356 computers and 359 user accounts, and the data and information contained in and associated with those accounts. A second count charged Laoutaris with impairing 105 server accounts and 140 computer accounts, and a third count accused him of attacking the e-mail accounts of all Locke Lord's Dallas employees.

A superseding indictment returned in February 2015 narrowed the scope of the case, charging Laoutaris with two counts of computer intrusion causing damage. According to the superseding indictment, Laoutaris' attack affected 10 or more protected computers, causing at least $5,000 in losses.

In September 2015, a jury found him guilty of both counts.

Laoutaris said he was given an unfair sentence based on an obstruction of justice adjustment that he didn't deserve. The trial court found he committed perjury in his testimony at trial, but he said the false statements he allegedly made were either actually true or at least not false.

He also claimed that the restitution charges were too high because the court included $1.46 million of lost Locke Lord revenue in the total amount of actual loss. The Fifth Circuit disagreed.

The panel said the court's obstruction finding was plausible and not clearly erroneous. It also found that the $1.46 million sum was calculated based on the testimony of Locke Lord's forensic accountant and was a reasonable estimate of lost revenue.

This was really a remarkable case demonstrating how dangerous insiders can be and the kind of amazing havoc they can wreak. Hat tip to Dave Ries.

"We want to help people understand how blockchains work so that they can appropriately and usefully apply them to technology problems," said Dylan Yaga, a NIST computer scientist who is one of the report's authors. "It's an introduction to the things you should understand and think about if you want to use blockchain."

A blockchain is essentially a decentralized ledger that maintains transaction records on many computers simultaneously. Once a group, or block, of records is entered into the ledger, the block's information is connected mathematically to other blocks, forming a chain of records. Because of this mathematical relationship, the information in a particular block cannot be altered without changing all subsequent blocks in the chain and creating a discrepancy that other record-keepers in the network would immediately notice. Thus, blockchain technology produces a dependable ledger without requiring record-keepers to know or trust one another, which eliminates the dangers that come with data being kept in a central location by a single owner.

The blockchain idea has attracted enough supporters that there are now several hundred digital currencies on the market. Because the market is growing so rapidly, several stakeholders, customers and agencies asked NIST to create a clear description of blockchain so that newcomers to the marketplace could enter with the same knowledge about the technology.

When is it appropriate to use blockchain? The report outlines some possible use cases, including banking, supply chain management and keeping track of insurance transactions.

As blockchain has exploded, we have seen a quick escalation of interest in it by law firms. While blockchain is the shiny new toy of technology, there are cautionary words in the NIST Guide. Read carefully – an expresso (or two) is probably the appropriate drink to accompany your reading.

January 29, 2018

As readers of RTL know, I am devoted to ABA TECHSHOW. I have had the honor of speaking there over many years – and even chaired the conference. For me, it is still the best "bang for the buck" for 2 ½ half days of legal tech education.

This year's conference is March 7-10 and has moved to the Hyatt Regency Chicago – a happy move because we have outgrown other hotels! Today is the last day for early bird pricing, so hustle on over to the ABA TECHSHOW website and register!

My husband and business partner John Simek will be presenting at the following sessions:

A Tour of the Dark Web: Dangers and DiscoveryProtecting Your Firm from Ransomware Attacks60 Tech Tips in 60 Minutes

And if you want a preview of ABA TECHSHOW 2018, listen to my Legal Talk Network Digital Edge podcast with Jim Calloway, in which Jim and I interview Debbie Foster and Tom Mighell, the co-chairs of this year's conference. They are sure to gin up your enthusiasm for joining us in Chicago!

January 25, 2018

As DARKReading noted in a post on January 23rd, there are no "standard provisions" in cyberinsurance policies – they are all over the map in what they do – and do not – cover. Frequently, law firms and other businesses think they are covered for specific things, when they are not.

Here are 10 costs that people most often mistakenly believe are covered.

Financial loss during downtime.

Losses incurred during a policy "waiting time."

Third-party mistakes.

New hardware.

Software upgrades.

Social engineering, including business e-mail compromise (BEC) attacks.

Bodily injury/property damage.

Fines and penalties issued by the Payment Card industry.

Reputation damage.

Loss from account takeover schemes.

Mind you, you may have a wonderful policy that includes all of things or at least a good policy that includes some of them. And you pay more for some of these things, which is always a factor in purchase decisions. But this list includes some of the misapprehensions about coverage most often experienced. Take a look at the post to get a fuller look at all 10 costs – and then go check your cyberinsurance policy to see if they are covered.

And if you don't have a cyberinsurance policy, time's a-wasting . . . .

January 24, 2018

Bitdefender's Hot for Security blog was thrown a soft ball last week, when a photo surfaced from the Hawaii Emergency Management Agency (HEMA), which famously issued a false alert on January 13th about a ballistic missile heading to Hawaii. As the post notes, the false alarm was caused by a worker who was supposed to send an internal test but mistakenly chose the wrong menu item. HEMA, as everyone has noted, needs a few more safeguards in place before alerts go out.

But oh boy, how could one resist penning a post on a photo which shows the smiling face of Jeffrey Wong, HEMA's operations officer, in front of a bank of computer screens. One computer is adorned by a Post-in note which appears to say: "Password Warningpoint2".

We don't know precisely what that password is for but that sticky note sure says a lot of about the state of security practices at HEMA. Tsk, tsk. With or without cameras nosing about, Post-its with passwords should be verboten!

January 23, 2018

ZDNetreported that researchers have discovered file dumps in the Dark Web containing close to 1.2 million e-mail addresses and credentials from the UK's top law firms.

On January 22nd, cybersecurity firm RepKnight released a whitepaper detailing the research. In total, 1,159,687 e-mail addresses were found in the dumps and 80 percent of the addresses were connected to leaked passwords. Worse yet, the passwords were often stored in plaintext.

The information dumps represents an average of 2,000 compromised credentials per company. The largest law firm accounted for 30,000 leaked e-mail addresses alone.

Readers, note this well: According to RepKnight, the majority of the credentials do not appear to have been stolen directly from the law firms but were collated from third-party data breaches. However, over half of the data dumps were posted in the last six months.

Given this leaked data, the bad guys can infiltrate corporate networks using legitimate credentials, potentially avoiding detection. The information may also prove useful for phishing attacks as malicious e-mails can be sent from legitimate addresses.

"The data we found represents the easiest data to find -- we just searched on the corporate email domain," said Patrick Martin, cybersecurity analyst at RepKnight. "A far bigger issue for law firms is data breaches of highly sensitive information about client cases, customer contact information, or employee personal info such as home addresses, medical record and HR files. That's why -- in addition to securing their networks -- every firm should be deploying a Dark Web monitoring solution, so they can get alerted to leaks and breaches immediately."

January 22, 2018

Twenty-one states and the District of Columbia are trying to block the repeal of net neutrality rules. They filed a petition for review last Tuesday in the U.S. Court of Appeals for the District of Columbia Circuit, according to a press release from New York Attorney General Eric Schneiderman.

The petition argues the Federal Communications Commission decision to eliminate net neutrality was arbitrary and capricious, in conflict with notice and rule-making requirements and unconstitutional.

Schneiderman contends that the FCC failed to justify its departure from policy defending net neutrality, and its decision improperly pre-empted state and local laws.

The jurisdictions that came together to file the petition are New York, California, Connecticut, Delaware, Hawaii, Illinois, Iowa, Kentucky, Maine, Maryland, Massachusetts, Minnesota, Mississippi, New Mexico, North Carolina, Oregon, Pennsylvania, Rhode Island, Vermont, Virginia, Washington, and the District of Columbia.

January 18, 2018

Thirteen years of spying is a long run. As Naked Securityreported on January 12th, the technical description of the "Fruitfly" malware is "spyware." But given the way it has allegedly been used, I agree that it might accurately be described as "creepware."

According to a 16-count indictment unsealed in the US District Court for the Northern District of Ohio, its creator, Phillip R. Durachinsky, 28, used it to spy on thousands of victims for more than 13 years. Durachinsky spent this time not only collecting personal data but also watching and listening to victims through their webcams and microphones (that is very creepy), and using some of what he collected to produce child abuse imagery (that is beyond creepy – what a horror show).

Durachinsky, of North Royalton, Ohio, was charged with Computer Fraud and Abuse Act violations, Wiretap Act violations, production of child abuse imagery, and aggravated identity theft.

According to the Department of Justice, the software enabled him to control each computer by accessing stored data, uploading files, taking and downloading screenshots, logging a user's keystrokes, and turning on the camera and microphone to surreptitiously record images and audio.

He used the malware to steal the personal data of victims, including their logon credentials, tax records, medical records, photographs, banking records, internet searches, and potentially embarrassing communications.

The indictment charges that while Durachinsky primarily used Fruitfly to infect Macs, he also wrote variants of Fruitfly that were capable of infecting computers running Windows.

The DOJ said he saved millions of images, kept detailed notes on what he observed, and designed it to alert him if a user typed words associated with pornography.

Perhaps the most amazing thing about Fruitfly is that it is both unsophisticated and relatively easy to find, yet according to the DOJ, Durachinsky was able to use it undetected from 2003 until January 2017, when he was arrested and jailed on another charge. He remains in custody.

So far, it is not clear how Fruitfly infects computers, but since there is no evidence it exploited vulnerabilities, it probably gained access by tricking victims into clicking on malicious Web links or e-mail attachments.

Prosecutors also asked the court to order that Durachinsky forfeit any property he derived from his 13-year campaign, an indication that they allege he sold the images and data he acquired to others.

January 17, 2018

As Naked Securityreported, a January 4th update in the US Customs and Border Protection's (CBP) "Border Search of Electronic Devices" directive, the first since August 2009, now requires that agents have at least "reasonable suspicion" of illegal activity or a threat to national security before they can conduct an in-depth, forensic examination or copy the contents of devices they search at border crossings.

Without that "reasonable suspicion," agents can only conduct a so-called "basic search," which means they can only look at data that's "physically resident on the phone," and not stored on a remote server.

Sen. Ron Wyden, (D-OR) damned the new directive with faint praise. He called it "an improvement," but said in a statement that it still allows, "far too many indiscriminate searches of innocent Americans."

He noted that CBP agents don't need even the "reasonable suspicion" threshold to conduct a basic search of devices, which includes, "looking through their browsing history, photos and messages stored on the device."

You took the words right out of my mouth Congressman.

There are more of those "basic" searches being conducted than at any time in history. The CBP has acknowledged that the number of searches has jumped from 5,085 in 2012 to 30,151 in 2017.

Border agents don't need to have reasonable suspicion to conduct an advanced device search when "there is a national security concern." This exception will surely swallow the rule, as "national security" can be construed exceedingly broadly and CBP has provided few standards for agents to follow. Cope and Mackey also contend there isn't much difference between "basic" and "advanced" searches – that both are highly intrusive.

The new directive also states that, "travelers are obligated to present electronic devices and the information contained therein in a condition that allows inspection of the device and its contents." That means the CBP is requiring people to unlock or decrypt their devices. According to the EFF, they have a right to refuse.

But if they do, there may be such consequences as travel delay, device confiscation, or even denial of entry for non-US persons.

The EFF also notes that the new directive doesn't apply to US Immigration and Customs Enforcement (ICE) or to agents from Homeland Security Investigations (HSI), which also conduct border searches.

The loopholes are large enough for an elephant to walk through – and our constitutional protections shouldn't end at the border.

January 16, 2018

Here we go again with apps giving away our secrets. BGRreported on January 14th that Apple's Health app on an iPhone providing investigators with information about who raped and murdered a young medical student in Germany late last year.

German authorities already have a suspect in custody, a man identified only as Hussein K. Hussein K has already admitted his involvement, though some details regarding the murder still remain unclear. Hussein K refused to provide the pin code of his iPhone to investigators, which led authorities to hire a Munich-based security firm which hacked into the device.

Apple's Health app has come standard with iOS for years now, with the ability to track a user's daily steps and other types of physical activity.

Data from Hussein K's Health app revealed the exact time of day he was busy climbing stairs on the day of the murder. The time in question reportedly aligns with when police believe the victim was dragged down a flight of stairs to a nearby river and drowned.

The phone also suggested periods of more strenuous activity, including two peaks, which the app identified "climbing stairs". An investigator of similar build to the suspect went to the area where the body was discovered and recreated how the police believe he disposed of the body. The police officer's movement data on the same app also identified him as "climbing stairs."

Phone evidence is everywhere – and apps are proving to be a rich source of useful data, as the number of phones in our forensics lab attests!

Sensei Enterprises, Inc.

3975 University Drive
Suite 225
Fairfax, VA 22030
703.359.0700

Disclaimer

This blog is intended to impart general information and does not offer specific legal advice. Use of this blog does not create an attorney-client relationship. If you require legal advice, consult an attorney.